Check you chmod settings
The most common source of malicious file uploads on an up to date cPanel site is a bad chmod setting. Chmod is a pretty simple yet effective way for Unix based webhosting platforms to control access to the the file structure by controlling who has read, write, and execute privileges.
In general, all of your files should be set to 644 and your folders to 755 on a normally configured website. The exception to this rule is an uploads folder which should be 666 or 766.
A very common mistake for new developers/admins who do not know how chmod works is to trouble shoot a problem by opening chmod all the way up 777 (usually when trying to get an uploads folder to work), seeing that the problem is fixed, and then leaving it that way. By setting that last number to 7 (or 3) you give everyone on the internet permission to both upload and execute scripts in your uploads folder. This is a bad combination because it means anyone can upload a script AND tell it to run. When you upload a script to a properly configured uploads folder, the folder does not allow the script to be run so it just sits there harmlessly.
...or it could be a script injection exploit
Another, less common but possible vulnerability would be at the application level. If you application works by taking input from an end user, and then writing that to a file, then it is possible that the file is being written into a default 755 folder with default 644 file privileges. There are too many variations of this to go over in detail, but the general way this attack works is to inject a script through a normal user interface, then tell the system to create some manner of export file, then change the extension to something executable like a myexport.php. Then when you go to "download" your export file, it instead executes the file containing a php script, and the php script then writes the virus to your website procedurally.
A lot of developers don't think to adjust their chmod settings in situations where they are generating downloadable files via PHP because nothing actually needs to be uploaded; so, it works just fine with default settings.
If it was uploaded via script injection like this, it will not show up as anything unusual in your access logs because no files were actually uploaded. All the "uploading" would have been done through normal looking web traffic. That said, you may find some telltale code somewhere in your database if the hacker did not clean up after himself.